Computer Science meets Philosophy: Ethics and Epistemology in Assurance and Certification of Autonomous Systems John Rushby Computer Science Laboratory SRI International Menlo Park, CA John Rushby, SR I CPS meets Philosophy 1
Starting Point: Assurance Cases • The state of the art in “classical” (i.e., pre-autonomy) assurance is a safety or (more generally) an assurance case • Assurance case: a structured argument, based on evidence, that certain claims hold ◦ CAE: claims, argument, evidence • Structured argument: hierarchical arrangement of argument steps • Argument step: local claim supported by a collection of subclaims or evidence • Simple form arguments: either subclaims or evidence, not both ◦ Reasoning step: claim supported by subclaims ◦ Evidential step: claim supported by evidence The two kinds of step are interpreted differently John Rushby, SR I CPS meets Philosophy 2
Normalizing an Argument to Simple Form In a generic notation (GSN shapes, CAE arrows) C C RS AS 1 1 SC SC SC E 1 1 N 1 ES ES AS N 2 2 E E E E E 2 3 1 2 3 RS : reasoning step; ES : evidential step John Rushby, SR I CPS meets Philosophy 3
For Example • The claim C could be system correctness ◦ E 2 could be test results ◦ E 3 could then be a description of how the tests were selected and the adequacy of their coverage So SC 1 is a claim that the system is adequately tested • And E 1 might be version management data to confirm it is the deployed software that was tested • Expect substantial narrative with each step to explain why the evidence or subclaims support the local claim John Rushby, SR I CPS meets Philosophy 4
Evidential Steps • Accept an evidentially supported claim when the “weight of evidence” crosses some threshold of credibility • Could be informal judgment • Or could add discipline of quantification: subjective probability ◦ Strength of belief represented by numbers that obey the axioms of probability • Elementary threshold of credibility: P ( C | E ) > θ • Difficult to estimate, better is P ( E | C ) > ν (use Bayes’ rule) • But really want to distinguish between C and ¬ C P ( E | C ) • So use a confirmation measure: e.g., log P ( E | ¬ C ) (I. J. Good) • Multiple items of evidence that are conditionally independent can each support their own claim (e.g., version management) • Others support a single claim, dependencies managed by BBNs John Rushby, SR I CPS meets Philosophy 5
Philosophy of Confirmation • Confirmation measures for weight of evidence developed by Turing and Good in WWII codebreaking • Now part of Bayesian Epistemology • There are many measures, not ordinally equivalent • But there is one that is ordinally equivalent to all “good ones” ◦ Shogenji’s measure: 1 − log P ( C | E ) log P ( C ) ◦ Homework: find one expressed in terms of P ( E | C ) • Suggestion for use in practice ◦ Hone judgment by doing numerical what-if exercises ◦ Then use informal judgment in practice John Rushby, SR I CPS meets Philosophy 6
Aside: Conjunction Fallacy • Evidence: Linda is 31 years old, single, outspoken and very bright. She majored in philosophy. As a student, she was deeply concerned with issues of discrimination and social justice, and also participated in anti-nuclear demonstrations • Claim 1: Linda is a bank teller • Claim 2: Linda is a bank teller and active in feminist movement • Which claim is more likely? • People overwhelmingly favor Claim 2 • But it must be less probable than Claim 1 • So people are irrational, cannot do simple probabilistic reasoning • No! They are using confirmation • People evolved to weigh evidence John Rushby, SR I CPS meets Philosophy 7
Requirement for “Sound” Assurance Cases • Purpose of a case is to give us justified belief in its top claim • In the limit, we want to know that the claim is true • Epistemology links these concepts (since Plato) ◦ Knowledge is justified true belief • But recently doubts have arisen. . . Gettier (1963) ◦ Over 3,000 citations, 3 pages, he wrote nothing else ◦ Gives 2 examples of justified true belief that do not correspond to to intuitive sense of knowledge ◦ The 3,000 papers give variant examples ◦ All have same form: “bad luck” followed by “good luck” ◦ Anticipated by Russell (1912) John Rushby, SR I CPS meets Philosophy 8
The Case of the Stopped Clock • Alice sees a clock that reads two o’clock, and believes that the time is two o’clock. It is in fact two o’clock. However, unknown to Alice, the clock she is looking at stopped exactly twelve hours ago • Alice has a justified true belief, but is it knowledge? ◦ The justification is not very good ◦ And some of her beliefs are false (bad luck) ◦ But critical one is true, by accident (good luck) • Diagnosis: need a criterion for good justification • Lots of attempts: e.g., “usually reliable process” (Ramsey) • Indefeasibility criterion for knowledge: ◦ Must be so confident in justification that there is no new information that would make us revise our opinion ◦ More realistically: cannot imagine any such information ◦ Such information is called a defeater John Rushby, SR I CPS meets Philosophy 9
The Indefeasibility Criterion • Assurance case argument must have no undefeated defeaters • Part company with philosophers: truth requires omniscience ◦ So this is a criterion for justification, not knowledge • But it is also consonant with Peirce’s limit theory of truth ◦ “truth is that concordance of a . . . statement with the ideal limit towards which endless investigation would tend to bring . . . belief” • Suggestion for use in practice ◦ Validate argument by seeking defeaters ◦ And defeating them ◦ It’s a strong criterion: reasoning steps must imply their claim, not merely suggest it John Rushby, SR I CPS meets Philosophy 10
Claims • We’ve looked at evidence and argument, now claims • Assurance case is typically about absence of serious faults ◦ So top claim is “no catastrophic faults” • But for most classical systems, social need is a bound on the rate/probability of serious failure ◦ E.g., for airplanes: “no catastrophic failure condition in entire operational life of all airplanes of one type” • What’s the connection between assurance for absence of faults and low probability of serious failure? • Failures are caused by faults • Assurance case gives us confidence in absence of faults • So high confidence in assurance yields low probability of failure • Really? John Rushby, SR I CPS meets Philosophy 11
Assurance and Probability of Failure • Confidence in assurance can be expressed as a subjective probability that the system is fault-free or nonfaulty: p nf ◦ Frequentist interpretation possible ◦ Research: how to get a credible estimate • Define p F | f as the probability that it Fails, if faulty • Then probability p srv ( n ) of surviving n independent demands (e.g., flight hours) without failure is given by p srv ( n ) = p nf + (1 − p nf ) × (1 − p F | f ) n (1) A suitably large n (e.g., 10 9 hours) can represent “entire operational life of all airplanes of one type” • First term gives lower bound for p srv ( n ) , independent of n • But we could be wrong (i.e., system has faults), so need contribution from second term, despite exponential decay John Rushby, SR I CPS meets Philosophy 12
Assurance and Probability of Failure (ctd.) • Useful 2nd term could come from prior failure-free operation • Calculating overall p srv ( n ) is a problem in Bayesian inference ◦ We have assessed a value for p nf ◦ Have observed some number r of failure-free demands ◦ Want to predict prob. of n − r future failure-free demands • Need a prior distribution for p F | f ◦ Difficult to obtain, and difficult to justify for certification ◦ However, there is a provably worst-case distribution • So can make predictions that are guaranteed conservative, given only p nf , r , and n ◦ For values of p nf above 0 . 9 ◦ The second term in (1) is well above zero ◦ Provided r > n 10 John Rushby, SR I CPS meets Philosophy 13
Assurance and Probability of Failure (ctd. 2) • So it looks like we need to fly 10 8 hours to certify 10 9 • Maybe not! • Entering service, we have only a few planes, need confidence for only, say, first six months of operation, so a small n • Flight tests are enough for this • Next six months, have more planes, but can base prediction on first six months (or ground the fleet, fix things, like 787) • And so on • Theory due to Strigini, Povyakalo, Littlewood, Zhao at City U • This is how/why airplane certification works • Remember it, we’ll return for autonomous cars John Rushby, SR I CPS meets Philosophy 14
Recommend
More recommend
